How to configure email encryption in Apple Mail

In my previous tutorial, I wrote about digitally signing emails in Apple Mail to ensure that an email being sent or received is verified as coming from a trusted source. While this does nothing to hide the contents of the email from prying eyes, it does serve to identify the users involved in sending and receiving messages at a more secure level.

If a message being received on your email client cannot be verified, chances are the message in question could have been modified during transit. This alerts you to proceed cautiously, as its integrity may have been compromised.

However, what if you wish to keep the contents of an email confidential? For that you'll need to extend the digital signing capability and encrypt the email entirely to ensure that the email is only viewable by the intended parties.

Before we look at the steps to send and receive encrypted email in Apple Mail, let's go over the requirements.

Requirements

Apple computer running OS X (10.9+)

Personal certificate (self-signed or issued from a third-party CA)

Public certificate for each user you intend on sending encrypted email to imported to the certificate store

Send encrypted email

1. Create a new message to your intended recipient. Before a message can be encrypted, a signed message must first be sent to the user(s) you wish to exchange encrypted messages with (Figure A).

Figure A

Image: Jesus Vigo/TechRepublic

2. After sending the message, you'll be prompted to allow the Mail.app to sign the email with your public certificate. Your public certificate will be used by recipients to encrypt future messages sent to you, so a copy of your public certificate will be included in this initial message (Figure B).

Figure B

Image: Jesus Vigo/TechRepublic

3. Once the user(s) receive your initial message your public certificate will be added to their certificate store and used to verify your signed messages. This will make up one-half of the encryption process; the second half will occur when the recipients reply to your signed message in-turn, providing you with a copy of their public certificate (Figure C).

Figure C

Image: Jesus Vigo/TechRepublic

4. The reply message from your recipients will prompt them to allow Mail.app to sign their message with their public certificate. Once they allow this, the email will be delivered to your inbox and a copy of their public certificate will be imported into your certificate store and stored in Keychain (Figure D).

Figure D

Image: Jesus Vigo/TechRepublic

5. The process is completed when both parties have exchanged public certificates. Now when replying to or creating a new message to the user(s) you've exchanged certificates with, the padlock icon will be available for the sender to enable encryption (Figure E).

Figure E

Image: Jesus Vigo/TechRepublic

6. By clicking the padlock, encryption will be enabled, and the message will be viewable only by the recipients that have provided you their public certificates (Figure F).

Figure F

Image: Jesus Vigo/TechRepublic

With encryption in place, the contents of sensitive emails can be secured from unintended parties, as this information can only be decrypted by the intended recipient's private certificate when enabled.

Subsequently, any recipients included in an encrypted email that have not exchanged public certificates with the sender will not be able to decrypt the messages until the certificates have been exchanged. Until then, encrypted messages will display an error stating that the message cannot be viewed.

Share your experiences

Have you implemented encrypted email at your site? If so, I'd love to hear about your experiences in certificate exchanges, or any troubles communicating via encrypted messages. Let us know in the comments.

Related Topics:

About Jesus Vigo

Jesus Vigo is a Network Administrator by day and owner of Mac|Jesus, LLC, specializing in Mac and Windows integration and providing solutions to small- and medium-size businesses. He brings 19 years of experience and multiple certifications from seve...

Full Bio

Jesus Vigo is a Network Administrator by day and owner of Mac|Jesus, LLC, specializing in Mac and Windows integration and providing solutions to small- and medium-size businesses. He brings 19 years of experience and multiple certifications from several vendors, including Apple and CompTIA.